With the widespread growth of non-cash transactions in recent times, consumers are increasingly relying upon various non-cash payment instruments such as credit cards, debit cards, contactless cards or another type of payment/transaction card, as well as traditional checks or other negotiable instruments in order to complete transactions at point-of-sale (POS) locations. As the use of these payment instruments have increased, associated adverse behavior such as fraud and so called “identity theft” has increased even more dramatically. Recently, it has been estimated that identity theft is the fastest growing crime in many countries worldwide.
One of the primary gateways for identity theft or other fraudulent behavior occurs with respect to POS applications because these applications are often responsible for initiating a transaction request to a back-end payment processor. Thus, the POS applications generally have access to personal and/or other sensitive information such as credit/debit card numbers or the like. Accordingly, one of the biggest issues in, e.g., the retail industry today is the fact that POS applications have access to payment instrument data without much in the way of security and are thus one of the major sources from which such data is illegally obtained, either by hackers or employees of the POS location.
A typical POS application reads data from payment card's magnetic tracks by means of a Magnetic Stripe Reader device (MSR). This data often includes much sensitive information such as the card number, expiration date, cardholder's name, etc. The application sends the data to the payment service provider to charge or authorize a payment. Typically, the application has full control over the data: it can store it in database or handle it in any other way. Consequently, many credit card networks such as Visa and MasterCard prohibit storing of card information; however, there is conventionally no way to enforce this policy. Today, most of the leaks of sensitive data happen not from POS applications intentionally revealing the data but from those applications simply mishandling the data and unintentionally exposing it to hackers or the like, generally due to a lack of secure programming expertise on the part of the application developers. Handling sensitive data in the secure manner is often a challenge even for programmers trained in the field.